Picking the lock: Hotel-room hacks

The Economist

LAST MONTH Cody Brocious, a software developer for Mozilla, the company that makes the Firefox web browser, appeared at a hacking conference in Las Vegas to demonstrate a security flaw in hotel-room locks manufactured by a company called Onity. Mr Brocious's paper on the flaw is available on his website, but suffice it to say that using a $30 microcontroller that he plugs into an open port at the bottom of the hotel room locks, he can access what may be as many as millions of hotel rooms worldwide.

ExtremeTech's Sebastian Anthony calls this a "stupendously disgusting lack of security" and argues that "for a company that is tasked with securing millions of humans every night...it wouldve been nice if Onity had shown slightly more foresight."

Now that Mr Brocious's hack is public, Onity has had no choice but to start dealing with it. The hacker did not explain the flaw to the company in advance of revealing it to the public, a decision he told Forbes was because he saw "no path to mitigate this from Onity's side." To fix the problem, the locks' entire circuitboard has to be replacedand on millions of locks, that's a process that could take a long time.

On Saturday, we learned what Onity is doing to deal with this flaw: as the Verge's Bryan Bishop reports, the company is offering hotels two solutions. The first is a mechanical fix that does not actually repair the software vulnerability: Onity will provide hotels with caps for the open ports on its locks, along with a security screw. Together, that solution will mean that potential hackers will have to partially dismantle the lock to get at the open port. The mechanical caps are free. The second solution, thoughand the only one that actually fixes the software problemis far from free. Here's an excerpt from a statement the company released last week:

The second solution Onity will offer to our customers, if they choose to use this option, is to upgrade the firmware of the HT and ADVANCE series locks. The firmware is currently complete for the HT24 lock, and by early next week should be complete for the entire HT series of locks. By the end of August we should have the firmware complete for the ADVANCE lock as well.

The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock. For locks that have upgradable control boards, there may be a nominal fee. Shipping, handling and labor costs to install these boards will be the responsibility of the property owner. For locks that do not have upgradable control boards, special pricing programs have been put in place to help reduce the impact to upgrade the older model locks.

It's good to see that Onity is taking steps to repair this vulnerability. But business travellers should be aware that hotels secured with Onity-brand locks that have open ports on the bottom may be hackable for some time to come. And it's easy to see how a mistake like this could be devastating for Onity's brand. Why would hotels pay to upgrade their vulnerable Onity locks to newer, supposedly unhackable Onity locks when they could switch to a different manufacturer entirely?